Oops, new LastPass bug that affects 4.1.42 (Chrome&FF). RCE if you use the "Binary Component", otherwise can steal pwds. Full report on way. pic.twitter.com/y92vm3Ibxd
— Tavis Ormandy (@taviso) March 20, 2017
At this point, and a few of my close friends whom use LastPass were wondering if we could truly trust an application like LastPass to store all of our password information. I know from listening to a lot of security related podcasts, that security is really hard to get right for developers. I really thankful there are people like Tavis around that can find these vulnerabilities and disclose them in a responsible fashion, in that he has contacted LastPass about the vulnerability, posted some very basic details of the vulnerability on Google Project Zero with no proof of concept, and states that LastPass have 90 days before going public with the vulnerability in all it’s detail.
However, LastPass managed to fix 3 serious bugs within a space of just 24 hours. That is just remarkable. LastPass patched the vuln, and because the plugin for Chrome updates automatically I immediately got the fix. Even though there were some serious bugs, I am seriously impressed with LastPass and it shows that if you put your trust into someone whom deeply cares about security they will make sure to release security updates in a prompt manner. It might shake your confidence that there are vulnerabilities like the ones Tavis has been finding, but I have more reassurance now that LastPass is a reputable and considerate company whom cares about it’s customers and take a very serious stance about security. It would seem that Tavis would also agree:
Very impressed with how fast @LastPass responds to vulnerability reports. If only all vendors were this responsive ?
— Tavis Ormandy (@taviso) March 22, 2017
So what should you take away from this? Well, like I have said previously security is really hard for anyone and there are always going to be vulnerabilities in any piece of code (that is just how things are!). The main thing is how the developer responds to the security incident, which I think in this instance is fantastic. I have been a free LastPass user for the last few months, but I will be going premium to make sure that LastPass get the continued support that they deserve.